Ten Days Left for Cheaper USENIX Security Registration

Those of you who read the Atom or RSS feeds for this blog have been missing my personalized USENIX Security 2006 banner ad, visible to my Blogger readers. In fact, some of you might have no idea that I, Richard Bejtlich, write these words, thanks to the various people who copy and reproduce my blog postings without regard to my authorship!In any case, there are ten days left for early registration for USENIX Security in Vancouver, BC. I will teach a brand new, two day course called TCP/IP Weapons School (TWS) on 31 July and 1 August 2006.This...

Read More

Signs of Desperation from Duronio Defense Team

It sounds to me like the Duronio defense team has nothing left in its tank, so it's attacking Keith Jones directly. The latest reporting, UBS Trial: Defense Suggests Witness Altered Evidence, shows how ridiculous the defense team sounds:"So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?"" [defense attorney] Adams asked."The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough...

Read More

Slides from FIRST 2006 Posted

Today I spoke briefly at the 18th Annual FIRST Conference in Baltimore, MD. Thanks to those who waited to see me fill the very last speaking slot on the very last day of the conference, before an extended holiday weekend. A few of you asked for my slides, so here they are -- The Network-Centric Incident Response and Forensics Imperati...

Read More

Tuning Snort Article in Sys Admin Magazine

Keep an eye on your local news stands or mail box for the August 2006 issue of Sys Admin magazine. They published an article I wrote titled Tuning Snort. I describe simple steps one should take with Snort to reduce the number of unwanted alerts. I used a beta of Snort 2.6.0 when writing the article a few months a...

Read More

Jones Withstands Defense Attorneys

I've been covering the Duronio trial in which my friend Keith Jones is testifying as the government's star forensic witness. Today's story describes how Keith explained his findings while being attacked by defense attorneys. This excerpt is priceless:At one point, [defense attoryney] Adams laid out a scenario in which someone could have created a backdoor in the UBS system, and then deleted it before a backup was done to capture it. When he asked Jones if he, personally, could do such a thing, Jones replied, "I could do a lot of things. That's...

Read More

Binary Upgrade of FreeBSD 6.0 to 6.1

Several months ago I posted how I used Colin Percival's freebsd-update program to perform a binary upgrade from FreeBSD 5.4 to 6.0 remotely over SSH. Thanks to Colin's latest work, I was able to successfully perform a binary upgrade from FreeBSD 6.0 to 6.1 remotely over SSH.hacom:/root/upgrade# uname -aFreeBSD hacom.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Tue Apr 18 08:56:09 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC...

Read More

Great Firewall of China Uses TCP Resets

This blog post about the Great Firewall of China by Cambridge University researchers is fascinating:It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary...

Read More

Jones Connects with Jury

Keith Jones is connecting with his jury, according to the latest Information Security article on the Duronio trial:Jones, trying to explain the program to the jury, said to think of a Looney Tunes cartoon where there's an alarm clock attached to a bundle of dynamite. The alarm clock is the trigger, he told the laughing jury, while the dynamite and resulting explosion make up the payload.This excerpt tells me two facts. (1) Jones is using terminology the jury can understand. (2) The jury is listening to him. I'm looking forward to reading about...

Read More

Know Your Tools

In the network forensics portion of my Network Security Operations class I cover a variety of reasons to validate that one's tools operate as expected. I encountered another example of this today while capturing network traffic from a wireless adapter.I explained several months ago how I use the ndis0 interface with a Linksys WPC54G adapter. This is a wrapper for the Windows driver packaged with the NIC. Here I am pinging another wireless host.$ ping -c 3 192.168.2.31PING 192.168.2.31 (192.168.2.31): 56 data bytes64 bytes from 192.168.2.31:...

Read More

Details on Freenode Incident

If you're looking for details on the Freenode incident, check out Regular Ramblings. This single Slashdot post claims Ettercap was involved. I was online at the time as we...

Read More

Cluelessness at Harvard Law Review

Articles like Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm (.pdf) in the June 2006 (link will work shortly) Harvard Law Review make me embarrassed to be a Harvard graduate. This is the central argument:[C]omputer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This...

Read More

This Is No Jokey

This book cover always elicits a laugh.The idea that "hacking" is for "dummies" always bothered me. Is that all it takes to 0wn a system? Even a dummy could do it? Yes, that is a real book, with a second edition en route.Today, I see this.As we used to say when teaching at Foundstone, "this is no jokey." Are they kidding me? Who is the dummy here -- the person who is writing the rootkits or the person who buys this real book expecting to remove...

Read More

Got My Mac Mini

I may have waited seventeen months, but I bought a used PowerPC G4 Mac Mini through eBay. I'm running the Debian PowerPC port on it. Why? It's so darn simple. Download and burn .iso, boot in Mac Mini. Easy. I couldn't do that with FreeBSD. The only wrinkle I encountered involved trying to manually create the partition table. I repeatedly received an error (which I have since forgot), so I let Debian create the partition for me. Here is what it set up:macmini:~# df -h Filesystem Size Used Avail Use% Mounted on/dev/hda3 ...

Read More

New Review of Extrusion Detection Posted

Tony Stevenson wrote a very thorough review of my newest book, Extrusion Detection: Security Monitoring for Internal Intrusions. Tony really seems to understand this book, unlike the author of a recent review for Information Security magazine who completely missed the point of Extrusion. Tony writes in his review in Windows IT Library:While it is true that his latest book can be read in isolation from the previous one, I agree with Bejtlich when...

Read More

A Real Logic Bomb

Logic bomb is a term often used in the media, despite the fact that almost all reporters (there are notable exceptions) have no clue what it means. Well, now we can look at a real one, thanks to forensics work by Keith Jones. He found a real logic bomb while doing forensics on the United States v. Duronio case. I worked the very beginning of this case while Keith and I were both at Foundstone. My small part involved trying to figure out how to...

Read More

Sguil Makes 2006 Top 100 Security Tools List

Fyodor of Nmap fame has posted the results of his 2006 survey of security tools. Fyodor posted the results at his new site SecTools.org. On page 4 you'll find Sguil listed as number 85 out of 100. Unfortunately, BASE beat out Sguil at number 82. Another personal regret is seeing Argus listed after BASE at number 83. The next time Fyodor asks for suvery participation, I will have to respond!Although the top 100 results are useful, some of the sub-categorization makes little sense. Sguil is listed in the Traffic Monitoring Tools subsection,...

Read More

Three Weeks Left for Early USENIX Registration

Three weeks remain for early registration for USENIX Security in Vancouver, BC. I will teach a brand new, two day course called TCP/IP Weapons School (TWS) on 31 July and 1 August 2006. Early registration ends 10 July.Are you a junior security analyst or an administrator who wants to learn more about TCP/IP? Are you afraid to be bored in routine TCP/IP classes? TWS is the class you need to take! TWS is an excellent introduction to TCP/IP for those who are not ready for my Network Security Operations (NSO) class.I have no plans at the moment...

Read More

Bejtlich Cited in Information Security Magazine

I had forgotten about these comments, but Mike Mimoso was kind enough to cite me in his article Today's Attackers Can Find the Needle:"What hackers are realizing is that there are so many ways to get information out of an enterprise. As people get wise to them, hackers are adapting," says Richard Bejtlich, a former captain for the Air Force CERT and founder of consultancy TaoSecurity. He cautions businesses to focus on egress filtering as a means to monitor packets that leave your network. "Pay attention to what is leaving your company," Bejtlich...

Read More

Help with Site Redesigns

I built the existing TaoSecurity.com and Bejtlich.net Web sites with with Nvu. I would like to redesign both sites, but I am not sure how to proceed. I approached one company and they told me they design sites using Wordpress. Another uses Joomla. I am not comfortable using PHP given some of the recent security problems I've seen. I'm not sure I want/need a database on the back end either.I have a feeling that I could use a nice style sheet from Open Source Web Design and continue to use Nvu to generate static HTML. Does anyone have any comments...

Read More

IA Newsletter Article Posted

The Defense Technical Information Center houses a group called the Information Assurance Technology Analysis Center. IATAC publishes the IA Newsletter. I recently learned that an article I wrote, Network Security Monitoring: Beyond Intrusion Detection, was published in Volume 8, No. 4 (.pdf). I wrote it as a response to an earlier article called The Future of Network Intrusion Detection in Volume 7, No. 3 (.pdf). This earlier article preached the common idea that intrusion prevention systems are the future of network intrusion detection. Read...

Read More

Three Pre-Reviews

Three generous publishers sent me three books to review this week. The first is Osborne's Hacking Exposed: Web Applications, 2nd Ed by Joel Scambray, Mike Shema, and Caleb Sima. I reviewed the first edition four years ago and loved it. The first edition was 386 pages, and the second is 520. Although each book has 13 chapters, only a few have the same name. I expect the involvement of a new co-author and many contributors have made this book relevant and worth reading.The second is No Starch's Nagios: System and Network Monitoring by Wolfgang...

Read More

Holy Cow, I'm Going to SANS

I just signed up to attend the SANS Log Management Summit, 12-14 July 2006 in Washington, DC. I think this is a great opportunity to hear some real users and experts talk about log management. Given that it's located near me, I decided I could afford to pay my own way to this conference. Is anyone else attending? If yes, register by tomorrow for the cheapest rat...

Read More

Why Discard Your Brand?

Sometimes you have to make the best of a bad situation, with no warning. Good-bye Ethereal, hello Wireshark. Gerald Combs, original author and primary Ethereal developer, left his job at Network Integration Services, Inc. and joined CACE Technologies. Unfortunately, NIS owns the Ethereal trademark, and Mr. Combs wasn't able to take it with him. He also lost administrative rights to the servers hosting Ethereal.com, so he can't post news of the name change there. So, nearly eight years after the first public release, Ethereal is dead. Long...

Read More

Certification & Accreditation Re-vitalization

Thanks to the newest SANS NewsBites (link will work shortly), I learned of the Certification & Accreditation Re-vitalization Initiative launched by the Chief Information Officer from the office of the Director of National Intelligence. According to this letter from retired Maj Gen Dale Meyerrose, the C&A process is too costly and slow, due to "widely divergent standards and controls, the lack of a robust set of automated tools and reliance upon manual review." He wants to "move from a posture of risk aversion to one of risk management,...

Read More

Dan Geer on Converging Physical and Digital Security

Dan Geer published an interesting article in the May/June 2006 issue of IEEE Privacy and Security. He questions the utility of converging physical and digital security "within a common reporting structure." In brief:This observer says convergence is a mirage. The reason is time. Everything about digital security has time constants that are three orders of magnitude different from the time constants of physical security: break into my computer in 500 milliseconds but into my house in 5 to 10 minutes...That is true, but the value of compromising...

Read More

Tracking Exploits

I received a link to this press release today. Unlike many press releases, this one contained interesting news. It reported that a new security company called Exploit Prevention Labs (XPL) just released their first Exploit Prevalence Survey™, which ranks five client-side exploits used to compromise Web surfers. This seems similar to US-CERT Current Activity, although that report jumbles together many different news items and doesn't name specific exploits. According to the press releaseThe results of the monthly Exploit Prevalence Survey are...

Read More

Answering Penetration Testing Questions

Some of you have written regarding my post on penetration testing. One of you sent the following questions, which I thought I should answer here. Please note that penetration testing is not currently a TaoSecurity service offering, so I'm not trying to be controversial in order to attract business.What do you feel is the most efficient way to determine the scope of a pen test that is appropriate for a given enterprise? Prior to hiring any pen...

Read More

Notes from Techno Security 2006

Today I spoke at three Techno Security 2006 events. I started the day discussing enterprise network instrumentation basic and advanced topics. I ended the day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone.This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's...

Read More

Follow-Up to Donn Parker Story

My earlier post is being debated on the private Security Metrics mailing list. I posted the following tonight:Chris Walsh wrote:> Alrighty.>> It's time for a Marines vs. Air Force slapdown!I should have anticipated that someone on this list would read my blog!I do not agree with all of Donn's points, and I state in my post someof his ideas are weak. I would prefer Donn defend himself in person.However, I am going to stand by this statement:"As security professionals I agree we are trying to reduce risk, buttrying to measure it is a waste...

Read More

Nessus 3.0.3 on FreeBSD

Several times last year I talked about using Nessus on FreeBSD. Last night I finally got a chance to install and try Nessus 3.0.3 on FreeBSD. Here's how I did it.First I downloaded Nessus 3.0.3 as a package for FreeBSD 6.x (called Nessus-3.0.3-fbsd6.tbz). I added the package:orr:/root# pkg_add -v Nessus-3.0.3-fbsd6.tbzRequested space: 16570324 bytes, free space: 4394956800 bytes in /var/tmp/instmp.YdVsPFRunning pre-install for Nessus-3.0.3..extract:...

Read More

Excellent Articles in Newest NWC

I wanted to briefly mention three great articles in the newest Network Computing magazine:Market Analysis: Security Information Management by Greg Shipley Review: Security Information Management ProductsAffordable IT: Leasing IT Equipment by Andrew Conry-MurrayAll three are free and fairly informative. I hear a lot of buzz about leasing hardware and software. Are you turning to leasing instead of buying? If so, what are you leasing, and w...

Read More

Risk-Based Security is the Emperor's New Clothes

Donn Parker published an excellent article in the latest issue of The ISSA Journal titled Making the Case for Replacing Risk-Based Security. This article carried a curious disclaimer I had not seen in other articles:This article contains the opinions of the author, which are not necessarily the opinions of the ISSA or the ISSA Journal.I knew immediately I needed to read this article. It starts with a wonderful observation:What are we doing wrong? Is the lack of support for adequate security linked to our risk-based approach to security? Why can't...

Read More